Template Information Security Policy

(1)

Template Information Security Policy

This template details the mandatory clauses which must be included in an agency’s Information Security Policy as per the requirements of the WoG Information Security Policy Manual. In addition, this document also provides context to the mandatory clauses by structuring them within an example Information Security policy, with additional guidance provided on other issues which agencies may wish to consider when

developing their policies.

An agency’s Information Security policy provides governance for information security management, and direction & support within the agency. The development and approval of an agency’s information security policy not only establishes management commitment and governance arrangements, but defines the agency’s policy in all aspects of information security, including asset management, human resource management and compliance.

Template Structure

The Whole of Government Information Security Policy Manual will be referred to in this template as ‘the manual’. The manual and supporting Procedures contain mandatory and recommended statements. Terminology is used as follows to indicate whether a Policy or Procedure statement is mandatory, conditional or recommended.

Keyword Interpretation

MUST The item is mandatory.

MUST NOT Non-use of the item is mandatory.

SHOULD Valid reasons to deviate from the item may exist in particular circumstances, but the full implications need to be considered before choosing this course. SHOULD NOT Valid reasons to implement the item may exist in particular circumstances,

but the full implications need to be considered before choosing this course. RECOMMENDS

RECOMMENDED The item is encouraged or suggested.

‘MUST’ and ‘MUST NOT’ statements are highlighted in red throughout this template. Agencies deviating from these MUST advise the Agency ICT Reference Group of the decision to waive particular requirements. Agencies deviating from a ‘SHOULD’ or ‘SHOULD NOT’ statement MUST record:

• the reasons for the deviation,

• an assessment of the residual risk resulting from the deviation,

• the date at which the decision will be reviewed, and

• whether the deviation has management approval.

Agencies deviating from a RECOMMENDS or RECOMMENDED requirement are encouraged to document the reasons for doing so.

(2)

Information Management Advice 35 Template: Information Security Policy

Page 2 of 49 In this template the mandatory clauses are in red text. Following the mandatory clauses are the non-mandatory clauses as listed in the manual. These are the clauses indicated by the manual that are conditional or recommended, which are suggestions for agencies to consider for inclusion within their own policy. These clauses are listed in

greentext.

In addition, agencies are encouraged to add more information and policy statements to ensure all their information security and business requirements are met. Information for agencies to consider is highlighted in blue text. Examples are as follows:

Tasmanian Government Mandatory Clauses

This is a mandatory clause and cannot be altered or deleted.

This policy was approved on [blue italic text indicates where agencies can insert free text eg. dates] Agency Clauses

This is a recommended clause and can be altered or deleted. [Insert agency specific clauses].

Agencies should also consider the following: xxx

xxx

Tasmanian Government Non-Mandatory Clauses

Clauses listed in the Tasmanian Government Information Security policy where statement is suggested, conditional or recommended.

There are also additional sections in the manual that agencies might like to consider incorporating in their policy framework.

In addition, under section 1.1 Information Security Policy – Obligations, there is listed a number of

mandatory quality criteria. While these are not mandatory clauses and do not have to be included within the agency’s Information Security Policy, they are still activities which agencies must undertake to ensure their Information Security Policy is effective. The mandatory quality criteria are highlighted in red text, an example of which follows:

Mandatory Quality Criteria: xxx

Agencies are strongly recommended to use this document as a basis/template for their Information Security Policy. As can be seen from the above, agency specific policy statements can be added and the blue text/grey box can be deleted.

Note that the Tasmanian Government Information Security Policy describes requirements at a very high level, and does not include a great deal of detailed advice about the specific policies agencies should implement.

This advice includes details of suggested policy areas that agencies can pick and choose to include in their own framework, depending upon the agency’s greatest area of risk.

Information Security Policy Structure

The first section of the agency’s information security policy should detail general information about the overall objective of the policy, the scope, who it applies to, legislative obligations, and who is responsible for review and

(3)

Page 3 of 49 approval of the policy. The sections following this introduction detail the policy requirements structured in line with Tasmanian Government Information Security Policy Manual.

The structure of the policy is at the agency’s discretion. Agencies may wish to develop one single Information Security policy document. Alternatively, agencies may choose to develop an overarching broad policy that covers strategic intent at a portfolio or agency level, with each subordinate agency/functional domain having consistent but tailored specific information security policy statements. For example:

High Level Policy – A brief document that sets the strategic directions for security and assigns the broad responsibility for security within the agency.

Guidelines – Document/s that address specific information security issues. Ideally, agencies should document guidelines for each of the mandatory requirements of the Tasmanian Government Information Security Policy Manual.

Technical Standards – These documents deal with general issues and system specifics.

Procedures – Operational documents that enable compliance with the policies and include the technical details and operational specifications, practices and tasks. For example this could include work instructions, guidelines,

templates, reports, checklists, assessments and plans.

See Tables 1.5 and 1.5.1 which suggest a possible structure for agencies to follow.

Information Security Policy

The Information Security policy includes all aspects of management direction and support for information security in accordance with business, legislation and regulatory requirements. Activities will include policy around compliance, but actual compliance actions should be mapped to compliance management (refer section 11).

The following sections detail the mandatory clauses, mandatory quality criteria, and suggested headings and

(4)

Page 4 of 49 Further Advice

For more detailed advice, please contact: Government Information Strategy Unit Tasmanian Archive and Heritage Office 91 Murray Street

HOBART TASMANIA 7000 Telephone: 03 6165 5581 Email [email protected]

Acknowledgements

• Queensland Government Information Security – Mandatory Clauses, Queensland Government ICT Policy and Coordination Office, Department of Public Works

• Tasmanian Government Information Security Policy Manual

• Thanks to Angela Males and the Department of Police and Emergency Management for use of Policy framework tables

Information security Classification

This document has been security classified using the Tasmanian Government Information Security classification standard as PUBLIC and will be managed according to the requirements of the Tasmanian Government Information Security Policy.

Document Development History Build Status

Version Date Author Reason Sections

1.0 November 2013 Allegra Huxtable Initial Release All Amendments in this Release

Section Title Section Number Amendment Summary

This is the first release of this document. Issued: November 2013

Ross Latham State Archivist

(5)

Department Name

Information Security Policy

(6)

Page 6 of 49

1. Introduction

[Insert agency objectives here]

This section draws together the structure of the agency’s policy, and provides any other pertinent introductory statements required. For example:

A successful Information Security plan consists of establishing a framework comprising security policies, guidelines, standards and procedures.

1.1 Policy Statement

[Insert agency statement here]

The policy statement should be a concise statement of ‘what’ the policy is intended to accomplish. It should be two to three sentences long and should clearly reflect the overall government direction, the agency’s direction and what the policy is hoping to achieve. The statement should be general enough to provide some flexibility and accommodate periodic changes in agency and whole-of-Government related requirements and standards.

1.2 Scope

[Insert agency scope here]

The scope details any limitations or constraints on the applicability of the policy to situations or entities within the agency. This policy should be developed in conjunction (or consultation) with relevant business areas such as finance, audit and senior business management. Agencies should also ensure this policy (and associated processes) adequately addresses security considerations relating to off-site work arrangements (e.g. home-based, mobile, regional, interstate and overseas).

1.3 Objectives

[Insert agency objectives here]

This section details the agency’s policy objectives, how these policy objectives will be achieved and what resourcing will be supplied to support the implementation of the policy. For example, the agency’s objectives could be to:

• protect the agency’s information assets through safeguarding its confidentiality, integrity and availability

• establish effective governance arrangements including accountability and responsibility for information security within the agency

• maintain an appropriate level of employee awareness, knowledge and skill to minimise the occurrence and severity of information security incidents

• ensure the agency is able to continue and/or rapidly recover its business operations in the event of a detrimental information security incident.

1.4 Obligations

[Insert agency obligations here]

A number of regulatory or legal frameworks, guidelines or policies will impact on the development and implementation of the policy. The following mandatory quality criteria have been provided to ensure the agency’s Information Security Policy adheres to the requirements of WoG IS Policy:

(9)

Page 9 of 49 Mandatory Quality Criteria:

• the policy MUST contain the mandatory clauses detailed in the Tasmanian Government Information Security Policy – Mandatory Clauses document

• the policy MUST be prepared on an agency wide basis and linked to agency security risks • the policy is consistent with the requirements of relevant legislation and policies

• the policy is aligned with agency business planning, the agency’s general security plan, and risk assessment findings

• endorsement for the policy is obtained from the relevant governance body • approval for the policy is obtained from the relevant senior executives

• processes relating to IT change management (including maintenance of network systems) and configuration management processes are established and updated as required

• a policy to control email has been developed, implemented and endorsed

• policies and controls have been developed to manage all aspects of online and internet activities including anonymity/privacy, data confidentiality, use of cookies, applications/plug-ins, types of language used, practices for downloading executable, web server security

configuration, auditing, access controls and encryption.

1.5 Information Security Policy Framework Structure

Below is a suggested Information Security Policy Framework, based on an agency example. The Tasmanian Government Information Security Policy Manual includes as mandatory the development of an agency Information Security Policy, the structure of the policy framework is up to the individual agency.

The framework states why information security is important, defines what has to be done to secure communications and information technology resources, how security rules are to be implemented and who is responsible for their implementation.

Framework

element Purpose and content Role Responsible for Approval Policies Information security policies are the high level

mandatory rules that state why information security is important and define the objectives and strategies for protecting the confidentiality, integrity and availability of ICT resources.

Commissioner/Secretary

Guidelines Guidelines contain detailed security requirements and criteria for meeting information security policy objectives and strategies.

Deputy Commissioner

Technical

Standards Technical Standards contain detailed security requirements and criteria for meeting guidelines and policy objectives. Technical Standards may incorporate information security checklists.

Director Corporate Services or relevant Commander Procedures Procedures explain in detail how the security

(10)

Page 10 of 49

1.5.1 Information security policy categories

The information security plan framework is built around the following policy categories.

Category Objective

Information Security

Governance & Managment Define roles and responsibilities within the Agency for establishing, implementing, operating, monitoring, reviewing, maintaining and improving information security.

Record Security To ensure that controls are established to achieve best practice record keeping to protect the creation, preservation, disposal, transfer, release and access to agency Government records

Information Security

Classification To ensure that official information is protected commensurately with the consequences of unauthorised disclosure, misuse or compromise. Physical Environment

Security To ensure that controls are in place to protect the physical security of all communication and information technology resources. The level and types of controls implemented should minimise the risk of equipment or information being rendered inoperable or inaccessible, or accessed or removed without appropriate authorisation.

Asset Management To ensure that security-classified agency communication and information technology resources are identified and recorded in registers so that responsibility can be assigned for maintaining appropriate security controls.

Personnel and Awareness To ensure that employees, contractors and third parties understand their responsibilities and are suitable for the roles they are considered for and to reduce the risk of theft fraud or misuse of agency information and ICT facilities.

Operational Procedures

and Responsibilities To ensure that security controls MUST be in place to safeguard all operations of agency information facilities and systems. Network Security To ensure that security controls are established to protect agency

networks and infrastructures from unauthorised access and to safeguard information confidentiality and integrity.

Electronic Information

Transfer To ensure that appropriate security controls are in place to protected information when being transferred electronically. To prevent the loss, modification or misuse of Agency data, stored or transmitted on computerised communications systems.

Identity & Access

Management To prevent unauthorised computer access.

Security audit logging To ensure that information related to security relevant activities is recognised, recorded, stored and analysed in order to minimise future security incidents and to provide evidence of past security incidents. Information Systems

acquisition, development and maintenance

To define security requirements of information systems during all stages of the information system life cycle.

(11)

Page 11 of 49

Category Objective

Business Continuity

Management To have business continuity plans available to counteract interruptions to AGENCY information systems and business activities from the effects of major failures or disasters.

Information Technology

Media Management To prevent unauthorised use, disclosure, modification, removal or destruction of fixed and removable information technology media Cryptography To ensure that approved cryptographic systems and techniques are used

for the protection of information that is considered at risk and for which other controls do not provide adequate protection.

Malicious and mobile code

control To protect the integrity of AGENCY software, data and information from the threat of computer malicious code and unauthorised mobile code infection.

Monitoring for Compliance To define requirements for monitoring use of information processing facilities in accordance with AGENCY policy, statutory law, common law, international law and contractual requirements.

Incident Management To ensure that effective processes are established for detecting, reporting, recording and resolving information security incidents.

Information Security Risk

Management Regular risk assessments and system audits should be conducted to ensure the security of Communication and Information Technology (CIT) resources.

(12)

Page 12 of 49

1.5.2 Information Security Policy and Related Framework

Elements

Policy Guidelines Technical

Standards Procedures Information Security Governance & Management Yes Yes

Record security Yes Yes

Information Security Classification Yes

Physical Environment Security Yes Yes Yes

Asset Management Yes Yes

Personnel and Awareness Yes

Operational Procedures and Responsibilities Yes Yes

Network Security Yes Yes

Article I. Electronic Information Transfer Article II.

es Yes Yes

Identity and Access Management Yes Yes Yes

Security Audit Logging Yes Yes Yes

Information Systems Acquisition, Development

and Maintenance Yes Yes

Business Continuity Management Yes Yes

Information Technology Media Management Yes Yes Yes

Cryptography Yes

Malicious and mobile code control Yes Yes Yes

Monitoring for Compliance Yes

Incident Management Yes

(13)

Page 13 of 49

1.6 Implementation

[Insert agency implementation requirements here]. Tasmanian Government Mandatory Clauses

This policy will be communicated on an ongoing basis and be accessible to all employees. Agency Clauses

[Insert agency specific clauses].

The implementation and review section details how the policy will be implemented including how the policy will be communicated and be accessible to all appropriate agency employees.

Details the performance measures or review mechanisms established to ensure the policy is being implemented effectively.

1.7 Policy Owner/Enquiries

[Insert agency text here].

Agencies should identify the owner of the Information Security Policy and who is responsible for the development and ongoing review of the policy. Contact details for enquiries should be listed in this section.

1.8 Policy Approval

[Insert agency policy approval here]

This policy [insert version number] was endorsed by [insert name of governance body] on [insert date].

This policy [insert version number] was approved by [insert name and role title] on [insert date]. Agency Clauses

This section details the specific delegations for approval of security policies.

Agencies should obtain appropriate approval/endorsement/signoff from the agency Chief Executive Officer and their Information Steering Committee (or similar agency governance body).

1.9 Policy Review

[Insert agency review details here]

This policy is reviewed [annually]. The next scheduled review is [insert date].

This policy will also be reviewed and evaluated in line with changes to business and information security risks to reflect the current agency risk profile.

Agency Clauses

The agency should review their policy periodically (at least annually) and as a result of significant changes to the agency business or structure, machinery-of-Government changes, information security risk analysis, information security compliance assessment and reports of security incidents.

(14)

Page 14 of 49

2. Information Security Governance and

Management

The governance domain includes all activities related to the governance, authorisation and auditing of information security arrangements within the organisation. Roles and

responsibilities relating to information security within the agency should also be defined. Tasmanian Government Mandatory Clauses

Policy:

The Head of each agency MUST convene an Information Security Committee composed of senior management, or assign the role to an existing senior management committee. This Committee is responsible for ensuring the Policy is applied.

Mandatory procedures:

Each agency MUST govern its application of the Policy with an Information Security Committee composed of senior management, or assign the role to an existing senior management committee. The role of the Committee is to:

• direct the development and maintenance of an agency Information Security Plan, • direct the implementation of the Information Security Plan across the agency, • assign responsibilities to individual officers,

• approve information security roles within the agency,

• oversee the maintenance and implementation of an agency communications plan for information security, and

• oversee routine information security inspections and reviews. Agency Clauses

See TAHO Advice 35 Part 3 for details relating to the mandatory requirements. Agencies should also consider the following:

• Detail the agency’s internal governance arrangements. Information security governance arrangements must be established and documented (including roles and responsibilities) to implement, maintain and control operational information security within the agency, – e.g. an information security committee (ISC) or existing committee within the agency

• Information security controls should address all relevant business requirements and considerations

• Information security controls should be integrated with all agency processes to create a coherent approach to agency business

• Agencies should consider implementing an information security management system. Designated Information security officers should be appointed whose role is to coordinate:

 implementation of agency information security policies and plans;

 delivery of information security communication, education and training; and

 investigations of information security incidents.

• Agencies may have several designated Information Security Officers covering different areas. For example, separate officers may be responsible for ICT security, physical security, individual business units and/or record security.

• Agency Information Security Officers SHOULD report directly to the Agency Information Security Committee on information security matters.

(15)

Page 15 of 49 • Accountability and responsibilities for information security should be clearly outlined including the

implications of breaches of security policy

• Endorsement for the information security internal governance arrangements should be obtained from the relevant senior executives and governance body.

2.1 External Party Governance

Agencies should also consider external party governance arrangements they have in place. This includes all activities related to the governance, authorisation and auditing of information security arrangements for external parties that handle organisational information.

Information security external governance arrangements should be established and documented to ensure that third party service level agreements, operational level agreements, hosting agreements or similar contracts clearly articulate the level of security required and are regularly monitored.

Endorsement for the information security external governance arrangements must be obtained from the relevant senior executives and governance body.

Agencies should also consider the following:

• detail agency participation in external/whole-of-Government information security committees

• detail the external organisations that handle the organisation’s information

• are there policies and processes in place at these external organisations?

Further information on information security roles and responsibilities is detailed in the TAHO Information management Advice 35 Part 3 - Information Security Governance.

2.2 Information Security Plan

The information security plan includes all activities relating to developing and maintaining information security plans, and ensuring that plans are communicated and accessible to employees as necessary.

An Information Security Plan MUST be developed and MUST align with agency business planning, general security plan and risk assessment findings.

Endorsement for the Information Security Plan MUST be obtained from the relevant senior executives and governance body.

A threat and risk assessment MUST be conducted for all ICT assets that create, store, process or transmit security classified information at least annually or after any significant change has occurred, such as machinery-of-Government.

Agency Clauses

Agencies should provide a brief summary of their Information Security Plan including a link to where the plan is located.

2.3 Information Security Risk Management

Information security risks are threats or vulnerabilities that introduce uncertainty regarding the availability, confidentiality or integrity of information. Structured risk assessments help to prioritise risks and implement appropriate risk management procedures.

(16)

Page 16 of 49 Each agency is to consider legislation and policy relevant to its business that could impact on how it manages information security risks. Information security risk management can be undertaken as part of a broader agency risk management approach.

Each agency MUST identify, quantify and prioritise risks against risk acceptance criteria and determine appropriate controls to protect against risks.

Agency Clauses

Agencies SHOULD use AS/NZS ISO 31000:2009 to guide risk management.

Agencies SHOULD also refer to Standards Australia HB 231:2004 for specific guidance about managing information security risks.

• To avoid duplication of effort and increase effectiveness of risk assessments, it is RECOMMENDED that agencies:

 combine information security risk assessments with other business-related risk assessments, and

(17)

Page 17 of 49

3. Resource Management

Each agency MUST maintain and apply appropriate protective policies and procedures for resources, including:

• protecting records of business activities,

• applying information security classifications where applicable, • controlling physical access to information assets, and

• controlling the use of information and communications technology

3.1 Record Security

Section 11 of the Archives Act 1983 requires that Heads of Agency, officers or employees of government departments MUST maintain appropriate custody of records on behalf of the Crown until dealt with in accordance with the Act.

In addition to the Archives Act 1983, each agency MUST take into account legislation that is specific to its business operations when managing record security.

The Archives Act 1983 stipulates that employees of state or local government agencies (or any other person) MUST NOT dispose of records of any type without the written authority of the State Archivist. Written authority may take the form of either:

• a Disposal Schedule (a continuing disposal authority listing records by type and identifying appropriate disposal actions); or

• an authorised Destruction Authority (a one-off authorisation to destroy the specific records listed therein).

Agencies MUST transfer records to the Tasmanian Archive & Heritage Office in accordance with Section 11 of the Archives Act. In addition, at the time of transfer, agencies MUST allocate appropriate access restrictions for these records in accordance with Section 15 of the

Archives Act 1983 and TAHO Guideline 4 – Agency determination of access restrictions. Agencies MUST comply with the following TAHO Guidelines prior to transferring records to non-Tasmanian Government entities:

• Guideline 10 – Outsourcing of government business: recordkeeping issues • Guideline 14 – Privatisation of government business: recordkeeping issues

Disposal of information MUST be conducted according to guidelines set out by the State Archivist.

Agency Clauses

• Each agency must have an active Records Management Program

• Each agency must have an identified Records Manager

• Each agency must have an information asset register that contains the details of all of the agencies assets regardless of format. This register must identify the information asset owner & custodian, and all assets must have a disposal category and information classification assigned.

3.2 Information Security Classification

Information security classification includes all activities that ensure information is appropriately classified.

(18)

Page 18 of 49 Tasmanian Government Mandatory Clauses

All information assets MUST be assigned appropriate security classification and control in accordance with the Tasmanian Government Information Security Policy Manual.

If an agency is not obliged to use other information security classification marking and handling then it MUST conduct a risk assessment to determine the appropriate marking and handling from the Tasmanian Government Information Security Policy Manual.

Information Security Classification schemes do not limit the provision of relevant legislation under which the [agency/department/entity] operates.

Agency Clauses

The level of security controls should be commensurate to the classification level, value and degree of reliance on the information and systems. Agencies should provide information about how the agency’s information assets are classified, e.g. Are they recorded in the agency’s information asset register? In many cases, it is not practical to classify each item or document. It is RECOMMENDED that agencies consider applying an information security domain to a set of assets. An information security domain is a logical grouping of items that require a similar level of protection, for example all personnel records may be given the same record security classification.

3.3 Information Asset Register

The asset protection responsibility domain includes all activities that implement and maintain appropriate protection of organisational assets.

Agencies SHOULD maintain security classified record/information asset registers to record details of each classified asset that is classified PROTECTED or HIGHLY PROTECTED. Security classified record registers may be part of an overall information asset register or managed separately. The register itself is an information asset that SHOULD be classified as X-IN-CONFIDENCE.

All ICT assets that create, store, process or transmit security classified information MUST be assigned appropriate controls in accordance with the Tasmanian Government Information Security Classification.

All ICT assets (including hardware, software and services) and information assets should be identified, documented and assigned ICT asset custodians for the maintenance of security controls.

All ICT assets that provide underpinning and ancillary services must be protected from

internal and external threats (eg. mail gateways, domain name resolution, time, reverse proxies, remote access and web servers).

Agency Clauses

Information should be provided about the agency’s information asset register (or similar registers for security classified information), including what information assets are identified, documented, the owners/custodians etc.

Further information on the requirements of information asset registers can be located in TAHO Information Management Advice 39: Developing an Information Asset Register

(19)

Page 19 of 49

4. Physical Environment Security

Prevention of unauthorised physical access to Tasmanian Government information assets requires protection of facilities, information and people from damage or interference. Protecting physical assets from unauthorised access includes issues such as:

• the need for, method and extent of public access to the workplace (e.g. schools, libraries, and health facilities all have high levels of public access);

• emergency evacuation procedures and how they link to access control procedures; • protection against ill intentions of authorised personnel inside facilities in addition to

intruders;

• restrictions and requirements for multi-tenanted sites (i.e. sites shared with other organisations);

• requirements for sites that are shared with other agencies; and

• the review of risk assessments when the use of a building, or the level of risk, changes.

4.1 Physical Environmental Controls

Physical environment controls include all activities that ensure information security is not compromised by unauthorised physical access, damage or interference to premises or information.

Agencies MUST implement and maintain a comprehensive set of physical environment controls that meet requirements identified by a risk assessment.

Building and entry controls for areas used in the processing and storage of security classified information must be established and maintained.

Physical security protection (commensurate with the security classification information levels) MUST be implemented for all offices, rooms, storage facilities and cabling infrastructure. Control policies (including clear desk/clear screen) MUST be implemented in information processing areas that deal with security classified information.

Agency Clauses

• What are the agency’s control policies?

• What areas need physical entry and perimeter controls (eg. computer rooms, document storage)?

• How are all other areas (eg. offices, workstations, delivery facilities, third party access) to be secured?

• What type of access mechanisms should be used (eg. beyond just a locked door)?

• Each agency is to also consider legislation and policy relevant to its business or activities that could impact on the physical environment.

4.1.1Entry Control and Visitor Control

It is RECOMMENDED that control of entry to buildings is exercised by admitting visitors and personnel through only one entrance, either by recognition, an identity pass or by a security key or an automatic access control system. An identity pass system does not automatically ensure security; if it is treated as no more than a routine formality, it can become a danger to security.

(20)

Page 20 of 49 Doorkeepers who carry out security functions SHOULD be issued with written instructions on their duties for every entrance together with details of those passes whose holders may be admitted. The instructions are to contain the names and telephone numbers of those persons to whom the doorkeepers report incidents of security significance both during and outside working hours.

It is RECOMMENDED that close liaison between those doorkeepers and the agency security organisation is maintained to ensure that the written instructions are understood, observed and kept up to date and that the doorkeepers carry out their duties efficiently.

Protocols for staff to challenge unescorted strangers are RECOMMENDED.

4.1.2 Entry Control by Personal Recognition

Where the number of personnel is small, it is RECOMMENDED that the safest means of controlling entry is by individual recognition, provided that:

• alert and responsible doorkeepers are regularly employed on the same duty and they are capable of resisting attempts by persons to evade their control; and

• the rate of personnel turnover is low and personnel are initially introduced to the doorkeeper and that the doorkeeper is informed when individuals cease to be employed in the building.

This method SHOULD NOT be used for controlling the entry of large numbers of personnel.

4.1.3. Entry Control by Identity Pass

Agencies SHOULD issue different types of entry passes for permanent employees, ancillary personnel, regular and casual visitors.

Agencies SHOULD implement the following when an identity pass system is used:

• Each pass is serially numbered and a record kept of the person to whom it was issued. • Everyone receiving a pass is required to sign for it immediately in the presence of the

issuing officer.

• The pass does not identify the premises to which it gives access.

• The graphic design of passes used by agencies is changed from time to time. Personnel SHOULD be instructed as follows when an identity pass is issued: • to immediately report the loss of a pass to the issuing officer;

• to return the pass to the issuing officer, or an agency security officer, as appropriate, when going on leave;

• not to keep their passes with other documents that may disclose their place of work; and • to return the pass when they cease to hold the appointment or occupation for which the

pass was issued, or when the period of validity of the pass has expired. Similar instructions, as appropriate, apply to holders of period or temporary passes.

Personnel SHOULD be required to show their passes each time they enter the premises and, at the discretion of agencies, when they leave. This exposes an intruder to risks of detection, brings lost or mislaid passes to early notice, and ensures the collection of day passes. In addition, personnel leaving outside normal working hours SHOULD be required to produce their passes on departure to the doorkeeper. If there is no doorkeeper after normal working hours, other options include using a logbook or an automatic access control system.

(21)

Page 21 of 49

4.1.4 Visitor control in high-risk areas

The procedures for visitor access will vary, depending upon the nature of the business and level of risk in each work area.

At a minimum, except for designated public areas, doorkeepers SHOULD allow visitors to enter a work area only if the visitor is on recognised business (ie a meeting) or is cleared by a host official.

It is RECOMMENDED that agencies have accommodation plans that discourage the need for staff to have visitors in high-risk areas.

Where the risk is high or extreme, visitors to areas housing a substantial amount of sensitive information SHOULD NOT be allowed uncontrolled freedom of movement. In areas that necessitate access pass control, visitors SHOULD be escorted when on the premises. It is RECOMMENDED that prior notice be given to the doorkeeper of the expected visitor and whether the visitor needs to be escorted within the building.

On arrival visitors SHOULD, if appropriate, be issued with a pass and escorted either to a waiting room (that is observable by an officer or the doorkeeper) or to the host official. The visitor control record SHOULD be covered to prevent visitors from seeing the details of other visitors.

Visitors SHOULD be advised that no photographs or recordings of any type are to be taken at any time during the visit. It is RECOMMENDED that visitors be asked to deposit mobile phones and other equipment at the reception desk.

The host official SHOULD be contacted by telephone and asked if they will receive the visitor if the official concerned has not given prior notice of the visit. If calling on more than one official, visitors SHOULD be escorted between offices.

The person last visited SHOULD be responsible for ensuring that the visitor leaves the building when their business is concluded, and any pass issued is duly returned to the agency. They SHOULD either escort the visitor to the entrance or arrange for another member of staff to act as escort. Access and exit from visiting areas SHOULD be arranged to avoid entry to working areas where sensitive material may be on display or accessible.

In agencies with a substantial flow of enquiries or visitors, it is RECOMMENDED that a reception desk is located close to the main entrance.

4.1.5. Identification of Personnel Keeping Unusual Hours

Agencies SHOULD determine if there is any information security risk involved with personnel keeping unusual hours. Agency policies and practices regarding personnel working unusual hours will also be determined by other factors, including occupational health and safety issues. Agencies SHOULD maintain a record of personnel who have after-hours access, as a

minimum.

If risks warrant it, procedures may include:

• maintaining logs of all after-hours access (including late departures and early arrivals), and/or

(22)

Page 22 of 49 • developing an understanding of which members of personnel make a habit of and have a

need to access the workplace after hours.

If it is revealed that an officer is regularly keeping unusual hours without the reasons being evident, it is RECOMMENDED that an agency information security officer make discreet enquiries to determine the reason.

4.1.6 Buildings and Secure Areas

Agencies SHOULD develop and maintain documented procedures for work areas to protect the information held within, or accessible from, the work area.

4.1.7 Planning Accommodation

Security requirements SHOULD be specifically referred to in any accommodation brief. Careful planning of layout within a building can reduce security problems, for example:

Where protection against eavesdropping is required offices SHOULD be selected that do not share walls with other tenants and not be situated close to common use corridors and stairways.

• Registries SHOULD be located near to the offices they serve to facilitate the secure movement and control of sensitive documents.

• To reduce the risk of unauthorised people reading documents or computer screens, staff engaged in sensitive work SHOULD NOT be working in view of others.

• To encourage proper storage and disposal of information, security facilities such as

lockable filing cabinets and shredders SHOULD be conveniently located for staff members that are required to use the facilities.

4.1.8 Secure Zones within Buildings

When varying degrees of security protection are required within the same building, high-risk activities SHOULD be concentrated in one area and segregated as a secure zone. Access to such zones SHOULD be adequately secured and the entrance confined to staff with

authorised access.

Staff themselves can control entry to the secure zone. Entrances SHOULD be reduced to one or two doors, locked during working hours and with a visitors’ bell outside.

Where a normal locking system is used, it is RECOMMENDED that keys used by staff during working hours are mustered and locked away in a security container at the close of work. Alternatively, an automatic code lock or card access control system can be used.

4.1.9 Managing the Risk of Overhearing

Under normal working conditions, ordinary speech is not intelligible beyond a range of 15 metres. Exceptions, where this distance may be exceeded, include conditions of quietness or where sound waves could be ducted by building structural anomalies or with technical aids. In considering the risk of overhearing (as distinct from eavesdropping by technical means), it is RECOMMENDED that other sounds which may mask speech in sensitive rooms are taken into account. The risk of overhearing is obviously increased when windows are open, especially at ground level.

(23)

Page 23 of 49 Dictation is more easily overheard than ordinary conversation and it is RECOMMENDED not to dictate very sensitive communications.

4.1.10 Telephone/video call or conference

Video conferencing is a form of real-time communication, like a telephone call, and presents the same risks of overhearing. It is recommended that precautions are taken to:

• ensure there is no sensitive or inappropriate material or activity visible in the frame of a video call,

• assess potential security risks arising from the office design and what may be visible or audible during a call,

• consider the risk of overhearing/eavesdropping if the conversation is broadcast through speakers, and

• ensure video and voice calls are only recorded with the express permission of all participants.

Net curtains or opaque glass may provide protection. When a room is artificially lit, net curtains do not always provide protection and it is RECOMMENDED that curtains or blinds (including venetian blinds) are drawn or closed to minimise risk.

4.1.11 Ancillary staff

The security vetting of ancillary staff does not negate the need for physical security measures. In implementing protective measures and security education for those handling sensitive information, agencies SHOULD ensure that ancillary staff (guards, cleaners, decorators, maintenance workers, canteen staff etc) do not have access to sensitive documents or equipment and do not overhear discussions or dictation involving sensitive matters.

4.1.12 Managing the Risk of Over-viewing from Outside

Telephotography can be used to photograph documents from any position at an angle greater than 15 degrees above horizontal. The effective range depends on the equipment used and the conditions prevailing at the time. All windows of offices or rooms where sensitive work is undertaken can be regarded as vulnerable to telephotography from outside.

4.1.13 Room Security

It is RECOMMENDED that locked security containers are be used to protect sensitive documents during working hours. It is the responsibility of individual officers and supervisors in large units such as registries to ensure that the documents cannot be read, handled or removed by persons not authorised to see them.

Security containers include lockable drawers, lockable filing cabinets, safes etc. It is RECOMMENDED that the selection of security containers be based on the level of risk, remembering that cleaners normally have unsupervised access to locked offices.

Sensitive documents SHOULD be locked up whenever they are not in actual use. If a room is to be left unoccupied, sensitive documents (including waste) are to be locked in security containers during any absence of more than a period to be specified in agency security

(24)

Page 24 of 49 instructions. In deciding what period to specify, it is suggested that agencies have regard to the nature of other security precautions within the building.

When a room is left unattended for less than the specified minimum period and sensitive documents are not locked away, the following SHOULD occur:

Doors and windows to the room are closed and secured.

Sensitive documents are protected from being read from outside.

If cleaners or other workers might have access from outside, all sensitive documents are to be locked away whenever a room is vacated.

The degree of protection needed for material such as internal telephone directories varies with agency responsibilities and is a matter for the discretion of the agency, taking into account the details of job description contained in the directory.

4.1.14 Room Checks by Occupants at Close of Work

Occupants SHOULD check all rooms at the close of work to ensure that sensitive documents, including sensitive waste, have been properly locked away in security containers and security keys mustered. To ensure that this task is carried out regularly, a roster system can be implemented before offices are vacated.

It is RECOMMENDED that in agencies holding a substantial amount of highly sensitive information, an agency security officer checks rooms after the departure of occupants and before entry of cleaners or guard patrols.

4.1. 15 Conferences and Meetings

When officers are required to take material into meetings, the following precautions are RECOMMENDED:

• Prior to commencing the meeting, ensure that unauthorised people are not present. • Ensure that no sensitive information or waste remains in the room at the close of the

meeting.

• When representatives of outside organisations are present, preclude the possibility of official documents being over-viewed by unauthorised people by planning appropriate seating arrangements.

Prior to leaving a meeting room it is RECOMMENDED that: • whiteboards are cleared of sensitive information,

• USB drives and other portable electronic devices are removed, and • any sensitive documents are removed and disposed of securely.

If special security arrangements are considered necessary for a meeting, agency security staff SHOULD be consulted.

4.1.16 Home-based work environments

Agencies SHOULD ensure that home-based employees have suitable physical security arrangements in place for the storage and use of all official information, both electronic and paper.

(25)

Page 25 of 49

4.1.17 Mail and other delivery areas

The planning of accommodation and associated procedures SHOULD address risks associated with the receipt and dispatch of mail and other items, including:

• ensuring adequate protection from unauthorised access to items awaiting delivery or to items that have been delivered;

• ensuring adequate protection from unauthorised access to mail and parcel items, including items using internal couriers; and

• appropriate procedures relating to the handling of suspicious deliveries. Where appropriate, agencies SHOULD consult with Tasmania Police.

4.1.18 Asset Management

Asset Management includes equipment security and all the activities that ensure information security is not compromised by loss, damage, theft or other compromise of the organisation’s physical equipment assets.

All ICT assets that store or process information MUST be located in secure areas with access control mechanisms in place to restrict use to authorised personnel only.

Policies and processes MUST be implemented to monitor and protect the use and/or maintenance of information assets and ICT assets away from premises.

Policies and processes MUST be implemented to securely dispose and/or reuse ICT assets, commensurate with the information asset’s security classification level.

The following Treasurer’s Instructions, issued under the Financial Management and Audit Act 1990, relate to the management of assets:

• TI. 301 – Reporting Procedures in Cases of Illegal Entry and/or Damage to or Loss of Property or Money

• TI. 302 – Recording of Losses

• TI. 304 – Recording of Non-current Assets Agency Clauses

• If physical controls are not possible, agencies need to detail the control methods in place.

• How and where is critical equipment to be sited?

• What safeguards are to be in place?

• What safeguards are in place for power supplies to critical equipment?

• How is cabling to be protected?

• How is communications equipment to be housed?

• How and who is allowed to carry out maintenance on equipment?

• What is the policy on security of equipment kept off site (eg. home use equipment, portable equipment)?

• What is the process/who authorises the disposal and reuse of equipment?

(26)

Page 26 of 49

5. Information and Communications Technology

Information and Communications Technology includes all activities that ensure appropriate resource management procedures, specifically relating to information and communications technology (ICT).

Each agency MUST implement and maintain a comprehensive set of information security controls relating to ICT that meet requirements identified by a risk assessment.

Agencies MUST refer to the ‘Tasmanian Government WAN and Internet Services Information Security Policies and Standards’ regarding information security controls relating to WAN and internet services.

Agencies MUST implement detection, prevention and recovery controls to protect against malicious software.

Agency Clauses

[Insert agency specific clauses].

• Agencies SHOULD identify and treat risks associated with ICT by referring to AS/NZS ISO/IEC 27002:2006.

5.1 Operational Procedures and Responsibilities

Operational procedures and responsibilities include all activities that ensure the correct and secure operation of information processing facilities.

Operational procedures and controls must be documented and implemented to ensure that all information assets and ICT assets are managed securely and consistently (in accordance with the level of security required).

Operational change control procedures MUST be implemented to ensure that changes to information processing facilities or systems are appropriately approved and managed.

Agency Clauses

• What processes must be documented and who is responsible?

• What is the policy with regard to separating the development/testing environment from the operational environment?

5.2 Third Party Service Delivery

Third party service delivery includes all activities that implement and maintain information security in line with service delivery agreements.

Third party service delivery agreements MUST comply with the Policy.

Third party service delivery agreements MUST be periodically reviewed and updated to ensure they address any changes in business requirements but remain compliant with the Policy.

Third party service operating agreements MUST specifically address third party governance policies and processes (see TAHO Advice 35 on Information Security Governance).

(27)

Page 27 of 49 Agency Clauses

• Will the service agreements be audited against the policy and how often?

• What processes must be documented and who is responsible?

• Is there a document style template that must be used?

• What is the policy for segregating duties that might involve a conflict of interest?

• What are the specific duties that must be segregated?

• Do separation agreements with the supplier consider information security arrangements (eg. at the end of a contract or breaking of a contract)?

• Have outsourcing/external hosting separation expectations and processes been documented?

• Will the agency be notified in the event of the supplier’s insolvency? Can the agency terminate the contract?

• Have escrow agreements been established to ensure that rights to data, systems, and codes will be transferred to the agency in the case of the supplier’s collapse?

5.3 Capacity Planning and System Acceptance

Capacity planning and system acceptance includes all activities that monitor resources and set criteria for system changes to reduce the risk of system failure.

System acceptance MUST include confirmation of the application of appropriate security controls and of the capacity requirements of the system.

System capacity MUST be regularly monitored to ensure risks of system overload or failure which could lead to a security breach are avoided.

Agency Clauses

• What processes are subject to authorised change control?

• Is there a process for implementing changes to information systems?

• Who is responsible for information systems capacity planning?

• What processes or systems need to be monitored for future planning?

• Who is responsible for the migration of new systems or upgrades into the operating environment?

5.4 Backup Procedures

Backup procedures include all activities that maintain the integrity and availability of information and applications through the use of backup activities.

Comprehensive information and system backup procedures and archiving MUST be implemented.

Agency Clauses

(28)

Page 28 of 49 • What is the policy for logging system activities?

• What is the policy on systems maintenance?

• What are the authorisation processes?

5.5 Network Security

The network security domain includes all activities that ensure the security of information being passed over networks.

Network security policy MUST be developed and documented to guide network administrators in achieving the appropriate level of network security.

Processes to periodically review and test firewall rules and associated network architectures MUST be established to ensure the expected level of network perimeter security is

maintained.

Processes MUST be established to periodically review and update current network security design, configuration, vulnerability and integrity checking to ensure network level security controls are appropriate and effective.

A policy on scanning MUST be developed to ensure that traffic entering and leaving the agency network is appropriately scanned for malicious or unauthorised content.

Agency Clauses

• Who is responsible for network management?

• What are the policies and processes for remote access?

• Who authorises external connections?

• All external perimeter access should be secured using defence-in-depth security systems, including firewall, intrusion detection and prevention systems

5.6 Information Technology Media Management

Disposal includes removal of media off-site under warranty or hardware service agreements. Unauthorised use of information can occur through careless disposal.

When disposing of media, agencies MUST ensure all information held on the media is either retained or disposed of in a secure fashion and in accordance with the Archives Act 1983, and; Hardware (e.g. computers) MUST be disposed of in accordance with the disposal Treasurer’s Instructions, issued under the Financial Management and Audit Act 1990 including the following Treasurer’s Instructions

• TI. 1301 – Disposal of Goods – Overview; and • TI. 1305 – Disposal of Personal Computers

Agencies SHOULD address the need for sanitisation or destruction of media prior to reuse in a new environment or disposal. Media sanitisation and disposal guidelines are suggested in the table below. For more information see the Australian Government Information Security Manual.

(29)

Page 29 of 49 Security Construction and Equipment Committee for the destruction or sanitisation of

electronic media or equipment. See the Australian Government Security Construction and Equipment Committee Security Equipment Catalogue for more details.

Agency Clauses

• What is the process for reusing media? eg. Hard drives, backup tapes.

• What is the process for transporting and storing media?

• What is the process and who authorises disposal of all types of information? eg. Paper documents, disks, and system documentation?

• What is the process for storage, handling and access to all types of information types? eg. How is media to be labelled, use of distribution lists, filing of emails, facsimiles?

5.7 Electronic Information Transfer

The information exchange domain includes all activities that maintain the security of information exchanged (internally or externally).

Methods for exchanging information within the agency, between agencies, through online services, and/or with third parties MUST be compliant with legislative requirements and MUST be consistent with the the manual.

The type and level of encryption MUST be authorised and compliant with the requirements of the manual.

All information exchanges over public networks, including all online or publicly available transactions/systems MUST be authorised either directly or through clear policy. Agency Clauses

• What type of information can be sent over public networks (eg. facsimiles/email)?

• What checks are in place to check for transmission receipts?

• What is the policy in relation to information and communication devices including answering machines, electronic diaries?

5.8 eCommerce

The eCommerce domain includes all activities that ensure the security of e-commerce services and their use.

All critical online services MUST have penetration testing performed periodically. Agency Clauses

• What checks are to be carried out prior to instituting e-commerce services?

Template Information Security Policy